Risk, threat, and vulnerability all have common aspects in information security. They are defined by their degree of exposure to danger or harm. With up to 88% of UK organisations suffering data breaches in 20201, understanding risks, threats and vulnerabilities is now of the utmost importance.
Learn what risks, threats, and vulnerabilities are, how they vary, and how they may help your organisation in your InfoSec compliance journey.
What is a Risk?
A risk is a threat of exploiting a vulnerability in an organisation’s IT systems. It could cause damage to the organisation’s reputation, loss of data, or loss of business. These risks can include:
- Intrusion - A person, program, or process enters a system without authorisation and makes changes.
- Accidental loss - An employee accidentally deletes data, or an employee accidentally deletes all their data.
- Malicious intrusion - Someone intentionally enters your system to steal data, destroy files, or do other malicious acts.
- Data leakage - Someone leaks information about you to the public through hacking or other means.
What is a Threat?
Threats are anything that can cause harm to the privacy of your information. They include any circumstance that could lead to loss, destruction, or unauthorised access to data. For example: natural disasters, human error (unintentional errors), and malicious attacks.
There are several types of threats, but they all share one common trait: they can compromise the confidentiality, integrity, or availability of your information. There are many ways you can protect your data from threats, here’s a few:
- Physical security
Physical security includes all measures to protect physical access to your computer system and data. For example, locking doors and windows and using guards to monitor entrances and exits.
- Information security
Information security includes all measures to protect against unauthorised access to your computer systems, applications, user accounts, data, and information stored on those systems. For example, passwords should be changed regularly so they are not guessed easily.
- Data privacy
Data privacy refers to protecting personal information such as names, addresses and phone numbers from being disclosed without consent; this includes keeping it secret from third parties who might use it for marketing purposes.
What is Vulnerability?
The concept of vulnerability is used in information security to describe the risk of a system or data set being damaged by an external attack. Vulnerability indicates there is a possibility for compromise or damage, but it does not necessarily mean that the system or data set has been compromised.
Vulnerability can be defined as a lack of availability of a security system, whether it be an individual, group, or organisation. Here are a few reasons why a system may become vulnerable:
- The system may not be secure. For example, The system is vulnerable to attacks from hackers who can bypass the authentication process if it does not support biometric authentication.
- The environment the system operates may not be secure. For example, An organisation that uses insecure wireless connections to connect to the internet is vulnerable to unauthorised access to its files.
- The data contained within a system may be vulnerable. Data that is incorrectly encrypted while being transmitted or stored might cause weaknesses in systems that may lead to unauthorised access by third parties.
Vulnerabilities can come in many forms:
- Technical vulnerabilities (such as weak passwords or outdated software).
- Human errors (like not encrypting sensitive files properly).
- Malicious attacks (like hacking into systems).
However, vulnerability is a determining factor only if a certain risk becomes a threat. For example, the same risk can become a threat to a more vulnerable system but not to a less vulnerable system.
Risks, threats, and vulnerabilities are important concepts in information security. Risk is the likelihood of a threat or vulnerability occurring. Threats are the actual occurrences of a risk that could cause harm to a system or its users. Vulnerabilities are flaws in the security of a system that makes it more vulnerable to attack by an exploit.
Schedule a free demo with our Infosec experts today to see DataGuard’s Infosec-as-a-Service solution in action.